summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c77
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index cdc029308..c938ae399 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -20,6 +20,7 @@
20#include <netinet/in_systm.h> 20#include <netinet/in_systm.h>
21#include <netinet/ip.h> 21#include <netinet/ip.h>
22 22
23#include <ctype.h>
23#include <netdb.h> 24#include <netdb.h>
24#include <pwd.h> 25#include <pwd.h>
25#include <stdio.h> 26#include <stdio.h>
@@ -29,6 +30,9 @@
29#include <unistd.h> 30#include <unistd.h>
30#include <stdarg.h> 31#include <stdarg.h>
31#include <errno.h> 32#include <errno.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
32 36
33#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
34#include "xmalloc.h" 38#include "xmalloc.h"
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options)
75 options->address_family = -1; 79 options->address_family = -1;
76 options->num_host_key_files = 0; 80 options->num_host_key_files = 0;
77 options->num_host_cert_files = 0; 81 options->num_host_cert_files = 0;
82 options->host_key_agent = NULL;
78 options->pid_file = NULL; 83 options->pid_file = NULL;
79 options->server_key_bits = -1; 84 options->server_key_bits = -1;
80 options->login_grace_time = -1; 85 options->login_grace_time = -1;
@@ -113,6 +118,8 @@ initialize_server_options(ServerOptions *options)
113 options->permit_user_env = -1; 118 options->permit_user_env = -1;
114 options->use_login = -1; 119 options->use_login = -1;
115 options->compression = -1; 120 options->compression = -1;
121 options->rekey_limit = -1;
122 options->rekey_interval = -1;
116 options->allow_tcp_forwarding = -1; 123 options->allow_tcp_forwarding = -1;
117 options->allow_agent_forwarding = -1; 124 options->allow_agent_forwarding = -1;
118 options->num_allow_users = 0; 125 options->num_allow_users = 0;
@@ -258,6 +265,10 @@ fill_default_server_options(ServerOptions *options)
258 options->use_login = 0; 265 options->use_login = 0;
259 if (options->compression == -1) 266 if (options->compression == -1)
260 options->compression = COMP_DELAYED; 267 options->compression = COMP_DELAYED;
268 if (options->rekey_limit == -1)
269 options->rekey_limit = 0;
270 if (options->rekey_interval == -1)
271 options->rekey_interval = 0;
261 if (options->allow_tcp_forwarding == -1) 272 if (options->allow_tcp_forwarding == -1)
262 options->allow_tcp_forwarding = FORWARD_ALLOW; 273 options->allow_tcp_forwarding = FORWARD_ALLOW;
263 if (options->allow_agent_forwarding == -1) 274 if (options->allow_agent_forwarding == -1)
@@ -329,7 +340,7 @@ typedef enum {
329 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 340 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
330 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 341 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
331 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 342 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
332 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 343 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
333 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 344 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
334 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 345 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
335 sMaxStartups, sMaxAuthTries, sMaxSessions, 346 sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -345,7 +356,7 @@ typedef enum {
345 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 356 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
346 sKexAlgorithms, sIPQoS, sVersionAddendum, 357 sKexAlgorithms, sIPQoS, sVersionAddendum,
347 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 358 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
348 sAuthenticationMethods, 359 sAuthenticationMethods, sHostKeyAgent,
349 sDeprecated, sUnsupported 360 sDeprecated, sUnsupported
350} ServerOpCodes; 361} ServerOpCodes;
351 362
@@ -370,6 +381,7 @@ static struct {
370 { "port", sPort, SSHCFG_GLOBAL }, 381 { "port", sPort, SSHCFG_GLOBAL },
371 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 382 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
372 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 383 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
384 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
373 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 385 { "pidfile", sPidFile, SSHCFG_GLOBAL },
374 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 386 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
375 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 387 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
@@ -443,6 +455,7 @@ static struct {
443 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 455 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
444 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 456 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
445 { "compression", sCompression, SSHCFG_GLOBAL }, 457 { "compression", sCompression, SSHCFG_GLOBAL },
458 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
446 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
447 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
448 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
@@ -530,7 +543,7 @@ derelativise_path(const char *path)
530 if (getcwd(cwd, sizeof(cwd)) == NULL) 543 if (getcwd(cwd, sizeof(cwd)) == NULL)
531 fatal("%s: getcwd: %s", __func__, strerror(errno)); 544 fatal("%s: getcwd: %s", __func__, strerror(errno));
532 xasprintf(&ret, "%s/%s", cwd, expanded); 545 xasprintf(&ret, "%s/%s", cwd, expanded);
533 xfree(expanded); 546 free(expanded);
534 return ret; 547 return ret;
535} 548}
536 549
@@ -822,13 +835,13 @@ process_server_config_line(ServerOptions *options, char *line,
822 struct connection_info *connectinfo) 835 struct connection_info *connectinfo)
823{ 836{
824 char *cp, **charptr, *arg, *p; 837 char *cp, **charptr, *arg, *p;
825 int cmdline = 0, *intptr, value, value2, n; 838 int cmdline = 0, *intptr, value, value2, n, port;
826 SyslogFacility *log_facility_ptr; 839 SyslogFacility *log_facility_ptr;
827 LogLevel *log_level_ptr; 840 LogLevel *log_level_ptr;
828 ServerOpCodes opcode; 841 ServerOpCodes opcode;
829 int port;
830 u_int i, flags = 0; 842 u_int i, flags = 0;
831 size_t len; 843 size_t len;
844 long long val64;
832 const struct multistate *multistate_ptr; 845 const struct multistate *multistate_ptr;
833 846
834 cp = line; 847 cp = line;
@@ -988,6 +1001,17 @@ process_server_config_line(ServerOptions *options, char *line,
988 } 1001 }
989 break; 1002 break;
990 1003
1004 case sHostKeyAgent:
1005 charptr = &options->host_key_agent;
1006 arg = strdelim(&cp);
1007 if (!arg || *arg == '\0')
1008 fatal("%s line %d: missing socket name.",
1009 filename, linenum);
1010 if (*activep && *charptr == NULL)
1011 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1012 xstrdup(arg) : derelativise_path(arg);
1013 break;
1014
991 case sHostCertificate: 1015 case sHostCertificate:
992 intptr = &options->num_host_cert_files; 1016 intptr = &options->num_host_cert_files;
993 if (*intptr >= MAX_HOSTKEYS) 1017 if (*intptr >= MAX_HOSTKEYS)
@@ -1151,6 +1175,37 @@ process_server_config_line(ServerOptions *options, char *line,
1151 multistate_ptr = multistate_compression; 1175 multistate_ptr = multistate_compression;
1152 goto parse_multistate; 1176 goto parse_multistate;
1153 1177
1178 case sRekeyLimit:
1179 arg = strdelim(&cp);
1180 if (!arg || *arg == '\0')
1181 fatal("%.200s line %d: Missing argument.", filename,
1182 linenum);
1183 if (strcmp(arg, "default") == 0) {
1184 val64 = 0;
1185 } else {
1186 if (scan_scaled(arg, &val64) == -1)
1187 fatal("%.200s line %d: Bad number '%s': %s",
1188 filename, linenum, arg, strerror(errno));
1189 /* check for too-large or too-small limits */
1190 if (val64 > UINT_MAX)
1191 fatal("%.200s line %d: RekeyLimit too large",
1192 filename, linenum);
1193 if (val64 != 0 && val64 < 16)
1194 fatal("%.200s line %d: RekeyLimit too small",
1195 filename, linenum);
1196 }
1197 if (*activep && options->rekey_limit == -1)
1198 options->rekey_limit = (u_int32_t)val64;
1199 if (cp != NULL) { /* optional rekey interval present */
1200 if (strcmp(cp, "none") == 0) {
1201 (void)strdelim(&cp); /* discard */
1202 break;
1203 }
1204 intptr = &options->rekey_interval;
1205 goto parse_time;
1206 }
1207 break;
1208
1154 case sGatewayPorts: 1209 case sGatewayPorts:
1155 intptr = &options->gateway_ports; 1210 intptr = &options->gateway_ports;
1156 multistate_ptr = multistate_gatewayports; 1211 multistate_ptr = multistate_gatewayports;
@@ -1704,8 +1759,7 @@ int server_match_spec_complete(struct connection_info *ci)
1704} while (0) 1759} while (0)
1705#define M_CP_STROPT(n) do {\ 1760#define M_CP_STROPT(n) do {\
1706 if (src->n != NULL) { \ 1761 if (src->n != NULL) { \
1707 if (dst->n != NULL) \ 1762 free(dst->n); \
1708 xfree(dst->n); \
1709 dst->n = src->n; \ 1763 dst->n = src->n; \
1710 } \ 1764 } \
1711} while(0) 1765} while(0)
@@ -1751,6 +1805,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1751 M_CP_INTOPT(max_authtries); 1805 M_CP_INTOPT(max_authtries);
1752 M_CP_INTOPT(ip_qos_interactive); 1806 M_CP_INTOPT(ip_qos_interactive);
1753 M_CP_INTOPT(ip_qos_bulk); 1807 M_CP_INTOPT(ip_qos_bulk);
1808 M_CP_INTOPT(rekey_limit);
1809 M_CP_INTOPT(rekey_interval);
1754 1810
1755 /* See comment in servconf.h */ 1811 /* See comment in servconf.h */
1756 COPY_MATCH_STRING_OPTS(); 1812 COPY_MATCH_STRING_OPTS();
@@ -1787,7 +1843,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1787 linenum++, &active, connectinfo) != 0) 1843 linenum++, &active, connectinfo) != 0)
1788 bad_options++; 1844 bad_options++;
1789 } 1845 }
1790 xfree(obuf); 1846 free(obuf);
1791 if (bad_options > 0) 1847 if (bad_options > 0)
1792 fatal("%s: terminating, %d bad configuration options", 1848 fatal("%s: terminating, %d bad configuration options",
1793 filename, bad_options); 1849 filename, bad_options);
@@ -2004,6 +2060,7 @@ dump_config(ServerOptions *o)
2004 dump_cfg_string(sVersionAddendum, o->version_addendum); 2060 dump_cfg_string(sVersionAddendum, o->version_addendum);
2005 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2061 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2006 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2062 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2063 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2007 2064
2008 /* string arguments requiring a lookup */ 2065 /* string arguments requiring a lookup */
2009 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2066 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2042,5 +2099,7 @@ dump_config(ServerOptions *o)
2042 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2099 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2043 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2100 printf("%s\n", iptos2str(o->ip_qos_bulk));
2044 2101
2102 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval);
2103
2045 channel_print_adm_permitted_opens(); 2104 channel_print_adm_permitted_opens();
2046} 2105}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 03:56:23 +0000